@fuzdev/fuz_app 0.62.0 → 0.64.0

package/dist/auth/account_action_specs.js

@@ -90,22 +90,26 @@ export const account_session_list_action_spec = {
     async: true,
     description: 'List auth sessions for the current account.',
 };
+// `credential_types: ['session']` — see `docs/security.md` §Credential-channel gating.
+// A leaked bearer can otherwise compose `account_session_list` + N×revoke to
+// reach the same effect as `account_session_revoke_all`.
 export const account_session_revoke_action_spec = {
     method: 'account_session_revoke',
     kind: 'request_response',
     initiator: 'frontend',
-    auth: { account: 'required', actor: 'none' },
+    auth: { account: 'required', actor: 'none', credential_types: ['session'] },
     side_effects: true,
     input: SessionRevokeInput,
     output: SessionRevokeOutput,
     async: true,
     description: 'Revoke a single auth session for the current account (IDOR-guarded).',
 };
+// `credential_types: ['session']` — see `docs/security.md` §Credential-channel gating.
 export const account_session_revoke_all_action_spec = {
     method: 'account_session_revoke_all',
     kind: 'request_response',
     initiator: 'frontend',
-    auth: { account: 'required', actor: 'none' },
+    auth: { account: 'required', actor: 'none', credential_types: ['session'] },
     side_effects: true,
     input: SessionRevokeAllInput,
     output: SessionRevokeAllOutput,
@@ -113,6 +117,8 @@ export const account_session_revoke_all_action_spec = {
     description: 'Revoke every auth session for the current account.',
 };
 /**
+ * `credential_types: ['session']` — see `docs/security.md` §Credential-channel gating.
+ *
  * `rate_limit: 'account'` bounds the burn rate of API-token creates. The
  * outstanding-token count is already capped by `max_tokens` (via
  * `query_api_token_enforce_limit`), but the per-account *rate* of churn
@@ -124,7 +130,7 @@ export const account_token_create_action_spec = {
     method: 'account_token_create',
     kind: 'request_response',
     initiator: 'frontend',
-    auth: { account: 'required', actor: 'none' },
+    auth: { account: 'required', actor: 'none', credential_types: ['session'] },
     side_effects: true,
     input: TokenCreateInput,
     output: TokenCreateOutput,
@@ -143,11 +149,12 @@ export const account_token_list_action_spec = {
     async: true,
     description: 'List API tokens for the current account. Hashes are never returned.',
 };
+// `credential_types: ['session']` — see `docs/security.md` §Credential-channel gating.
 export const account_token_revoke_action_spec = {
     method: 'account_token_revoke',
     kind: 'request_response',
     initiator: 'frontend',
-    auth: { account: 'required', actor: 'none' },
+    auth: { account: 'required', actor: 'none', credential_types: ['session'] },
     side_effects: true,
     input: TokenRevokeInput,
     output: TokenRevokeOutput,

package/dist/auth/account_actions.d.ts

@@ -23,6 +23,7 @@
  * @module
  */
 import { type RpcAction } from '../actions/action_rpc.js';
+import type { ConnectionCloser } from '../actions/connection_closer.js';
 import type { RouteFactoryDeps } from './deps.js';
 /** Options for `create_account_actions`. */
 export interface AccountActionOptions {
@@ -33,6 +34,18 @@ export interface AccountActionOptions {
      * `DEFAULT_MAX_TOKENS`; pass `null` to disable the cap.
      */
     max_tokens?: number | null;
+    /**
+     * Live-connection closer — when set, `account_session_revoke` /
+     * `_session_revoke_all` / `account_token_revoke` handlers eagerly close
+     * affected WebSocket sockets BEFORE emitting the corresponding audit
+     * event. Closes the audit-failure-leaks-WS surface: the listener-based
+     * close (`transports_ws_auth_guard`) only fires after the audit INSERT
+     * succeeds, so a DB error would leave live sockets stale. `BackendWebsocketTransport`
+     * satisfies this interface structurally; consumers pass their transport
+     * instance directly. When absent, only the listener-based close runs.
+     * Mirrors `zzz_server`'s handler-side `close_sockets_for_*` calls.
+     */
+    connection_closer?: ConnectionCloser | null;
 }
 /**
  * Create the self-service account RPC actions.

package/dist/auth/account_actions.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"account_actions.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/account_actions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAEH,OAAO,EAAqC,KAAK,SAAS,EAAC,MAAM,0BAA0B,CAAC;AAe5F,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAwBhD,4CAA4C;AAC5C,MAAM,WAAW,oBAAoB;IACpC;;;;;OAKG;IACH,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC3B;AAED;;;;;;;;GAQG;AACH,eAAO,MAAM,sBAAsB,GAClC,MAAM,IAAI,CAAC,gBAAgB,EAAE,KAAK,GAAG,OAAO,CAAC,EAC7C,UAAS,oBAAyB,KAChC,KAAK,CAAC,SAAS,CAsGjB,CAAC"}
+{"version":3,"file":"account_actions.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/account_actions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAEH,OAAO,EAAqC,KAAK,SAAS,EAAC,MAAM,0BAA0B,CAAC;AAC5F,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,iCAAiC,CAAC;AAetE,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAwBhD,4CAA4C;AAC5C,MAAM,WAAW,oBAAoB;IACpC;;;;;OAKG;IACH,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B;;;;;;;;;;OAUG;IACH,iBAAiB,CAAC,EAAE,gBAAgB,GAAG,IAAI,CAAC;CAC5C;AAED;;;;;;;;GAQG;AACH,eAAO,MAAM,sBAAsB,GAClC,MAAM,IAAI,CAAC,gBAAgB,EAAE,KAAK,GAAG,OAAO,CAAC,EAC7C,UAAS,oBAAyB,KAChC,KAAK,CAAC,SAAS,CAyIjB,CAAC"}

package/dist/auth/account_actions.js

@@ -39,7 +39,7 @@ import { account_verify_action_spec, account_session_list_action_spec, account_s
  * @returns the `RpcAction` array to spread into a `create_rpc_endpoint` call
  */
 export const create_account_actions = (deps, options = {}) => {
-    const { max_tokens = DEFAULT_MAX_TOKENS } = options;
+    const { max_tokens = DEFAULT_MAX_TOKENS, connection_closer = null } = options;
     const verify_handler = (_input, ctx) => {
         return to_session_account(ctx.auth.account);
     };
@@ -49,22 +49,49 @@ export const create_account_actions = (deps, options = {}) => {
     };
     const session_revoke_handler = async (input, ctx) => {
         const revoked = await query_session_revoke_for_account(ctx, input.session_id, ctx.auth.account.id);
+        // Handler-side belt+suspenders: close the live WS socket bound to this
+        // session BEFORE the audit emit, so revocation lands even if the audit
+        // INSERT fails. The real ordering invariant is "before the transaction
+        // commits": this handler runs inside the dispatcher's transaction
+        // (side_effects: true), so any throw between this close and the return
+        // would roll back the DB revoke while leaving the socket severed. That
+        // is benign — the session is still valid, the client reconnects — but
+        // don't introduce a throw here without acknowledging the trade.
+        // Only fire on success — failure carries an attacker-guessable
+        // session_id and the listener-based close already ignores failure
+        // outcomes for the same reason. Idempotent — the audit listener runs a
+        // second close on success but matches no sockets the second time.
+        if (revoked && connection_closer) {
+            connection_closer.close_sockets_for_session(input.session_id);
+        }
         deps.audit.emit(ctx, {
             event_type: 'session_revoke',
             outcome: revoked ? 'success' : 'failure',
             account_id: ctx.auth.account.id,
             ip: ctx.client_ip,
-            metadata: { session_id: input.session_id },
+            // `credential_type` defense in depth — see `docs/security.md` §Credential-channel gating.
+            metadata: { session_id: input.session_id, credential_type: ctx.credential_type ?? undefined },
         });
         return { ok: true, revoked };
     };
     const session_revoke_all_handler = async (_input, ctx) => {
         const count = await query_session_revoke_all_for_account(ctx, ctx.auth.account.id);
+        // Handler-side belt+suspenders — see session_revoke_handler comment.
+        // Close fires regardless of `count` (today `count >= 1` always — the
+        // caller is using the session they're revoking; future bearer / daemon-
+        // token-credentialed callers may hit `count: 0`). Symmetric with the
+        // admin revoke-all handlers in `admin_actions.ts`, where `count: 0` is
+        // a real outcome (target account had no live sessions/tokens) and the
+        // eager close still fires to scrub sockets that the audit listener
+        // would otherwise miss when the INSERT fails. Idempotent at all counts.
+        if (connection_closer) {
+            connection_closer.close_sockets_for_account(ctx.auth.account.id);
+        }
         deps.audit.emit(ctx, {
             event_type: 'session_revoke_all',
             account_id: ctx.auth.account.id,
             ip: ctx.client_ip,
-            metadata: { count },
+            metadata: { count, credential_type: ctx.credential_type ?? undefined },
         });
         return { ok: true, count };
     };
@@ -78,7 +105,11 @@ export const create_account_actions = (deps, options = {}) => {
             event_type: 'token_create',
             account_id: ctx.auth.account.id,
             ip: ctx.client_ip,
-            metadata: { token_id: id, name: input.name },
+            metadata: {
+                token_id: id,
+                name: input.name,
+                credential_type: ctx.credential_type ?? undefined,
+            },
         });
         return { ok: true, token, id, name: input.name };
     };
@@ -88,12 +119,16 @@ export const create_account_actions = (deps, options = {}) => {
     };
     const token_revoke_handler = async (input, ctx) => {
         const revoked = await query_revoke_api_token_for_account(ctx, input.token_id, ctx.auth.account.id);
+        // Handler-side belt+suspenders — see session_revoke_handler comment.
+        if (revoked && connection_closer) {
+            connection_closer.close_sockets_for_token(input.token_id);
+        }
         deps.audit.emit(ctx, {
             event_type: 'token_revoke',
             outcome: revoked ? 'success' : 'failure',
             account_id: ctx.auth.account.id,
             ip: ctx.client_ip,
-            metadata: { token_id: input.token_id },
+            metadata: { token_id: input.token_id, credential_type: ctx.credential_type ?? undefined },
         });
         return { ok: true, revoked };
     };

package/dist/auth/account_routes.d.ts

@@ -26,6 +26,7 @@ import type { SessionOptions } from './session_cookie.js';
 import { type RouteSpec } from '../http/route_spec.js';
 import { type RateLimiter } from '../rate_limiter.js';
 import type { RouteFactoryDeps } from './deps.js';
+import type { ConnectionCloser } from '../actions/connection_closer.js';
 /** Input for `GET /api/account/status`. No parameters — caller is the subject. */
 export declare const AccountStatusInput: z.ZodNull;
 export type AccountStatusInput = z.infer<typeof AccountStatusInput>;
@@ -41,7 +42,7 @@ export type AccountStatusInput = z.infer<typeof AccountStatusInput>;
 export declare const AccountStatusOutput: z.ZodObject<{
     account: z.ZodObject<{
         id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
-        username: z.ZodString;
+        username: z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>;
         email: z.ZodNullable<z.ZodEmail>;
         email_verified: z.ZodBoolean;
         created_at: z.ZodString;
@@ -143,10 +144,19 @@ export interface AccountRouteOptions extends AuthSessionRouteOptions {
      * jitter while keeping the floor. Default `DEFAULT_LOGIN_FAIL_JITTER_MS`.
      */
     login_fail_jitter_ms?: number;
+    /**
+     * Live-connection closer — when set, the `logout` and `password` handlers
+     * eagerly close affected WebSocket sockets for the account BEFORE
+     * emitting the corresponding audit event. Mirrors the self-service
+     * action surface (see `AccountActionOptions.connection_closer`). When
+     * absent, only the listener-based close (`transports_ws_auth_guard` on
+     * `audit.on_event_chain`) runs.
+     */
+    connection_closer?: ConnectionCloser | null;
 }
 /** Input for `POST /login`. Accepts a username or email in the `username` field. */
 export declare const LoginInput: z.ZodObject<{
-    username: z.ZodString;
+    username: z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>;
     password: z.ZodString;
 }, z.core.$strict>;
 export type LoginInput = z.infer<typeof LoginInput>;

package/dist/auth/account_routes.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"account_routes.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/account_routes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,qBAAqB,CAAC;AA2BxD,OAAO,EAAkB,KAAK,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAEtE,OAAO,EAA+B,KAAK,WAAW,EAAC,MAAM,oBAAoB,CAAC;AAElF,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAQhD,kFAAkF;AAClF,eAAO,MAAM,kBAAkB,WAAW,CAAC;AAC3C,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE;;;;;;;;GAQG;AACH,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;;;;;kBAI9B,CAAC;AACH,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEtE,4EAA4E;AAC5E,eAAO,MAAM,iCAAiC;;;iBAG5C,CAAC;AACH,MAAM,MAAM,iCAAiC,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iCAAiC,CAAC,CAAC;AAElG;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,gCAAgC,GAAI,UAAU,oBAAoB,KAAG,SAmFhF,CAAC;AAEH,iDAAiD;AACjD,MAAM,WAAW,oBAAoB;IACpC,yDAAyD;IACzD,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,8FAA8F;IAC9F,gBAAgB,CAAC,EAAE;QAAC,SAAS,EAAE,OAAO,CAAA;KAAC,CAAC;CACxC;AAED,4CAA4C;AAC5C,eAAO,MAAM,oBAAoB,IAAI,CAAC;AAEtC,8CAA8C;AAC9C,eAAO,MAAM,kBAAkB,KAAK,CAAC;AAErC;;;;;;;;;GASG;AACH,eAAO,MAAM,2BAA2B,MAAM,CAAC;AAE/C;;;;;;GAMG;AACH,eAAO,MAAM,4BAA4B,KAAK,CAAC;AAQ/C;;;;;GAKG;AACH,MAAM,WAAW,uBAAuB;IACvC,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,kFAAkF;IAClF,eAAe,EAAE,WAAW,GAAG,IAAI,CAAC;CACpC;AAED;;GAEG;AACH,MAAM,WAAW,mBAAoB,SAAQ,uBAAuB;IACnE,4FAA4F;IAC5F,0BAA0B,EAAE,WAAW,GAAG,IAAI,CAAC;IAC/C,2FAA2F;IAC3F,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B;;;;OAIG;IACH,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B;;;OAGG;IACH,oBAAoB,CAAC,EAAE,MAAM,CAAC;CAC9B;AAID,oFAAoF;AACpF,eAAO,MAAM,UAAU;;;kBAGrB,CAAC;AACH,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,UAAU,CAAC,CAAC;AAEpD,wFAAwF;AACxF,eAAO,MAAM,WAAW;;kBAEtB,CAAC;AACH,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,WAAW,CAAC,CAAC;AAEtD,2EAA2E;AAC3E,eAAO,MAAM,WAAW,WAAW,CAAC;AACpC,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,WAAW,CAAC,CAAC;AAEtD,wFAAwF;AACxF,eAAO,MAAM,YAAY;;;kBAGvB,CAAC;AACH,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AAExD,sHAAsH;AACtH,eAAO,MAAM,mBAAmB;;;kBAG9B,CAAC;AACH,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEtE,uGAAuG;AACvG,eAAO,MAAM,oBAAoB;;;;kBAI/B,CAAC;AACH,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAExE;;;;;;;;;;GAUG;AACH,eAAO,MAAM,0BAA0B,GACtC,MAAM,gBAAgB,EACtB,SAAS,mBAAmB,KAC1B,KAAK,CAAC,SAAS,CA0PjB,CAAC"}
+{"version":3,"file":"account_routes.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/account_routes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,qBAAqB,CAAC;AA2BxD,OAAO,EAAkB,KAAK,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAEtE,OAAO,EAA+B,KAAK,WAAW,EAAC,MAAM,oBAAoB,CAAC;AAElF,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAChD,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,iCAAiC,CAAC;AAQtE,kFAAkF;AAClF,eAAO,MAAM,kBAAkB,WAAW,CAAC;AAC3C,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE;;;;;;;;GAQG;AACH,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;;;;;kBAI9B,CAAC;AACH,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEtE,4EAA4E;AAC5E,eAAO,MAAM,iCAAiC;;;iBAG5C,CAAC;AACH,MAAM,MAAM,iCAAiC,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iCAAiC,CAAC,CAAC;AAElG;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,gCAAgC,GAAI,UAAU,oBAAoB,KAAG,SAmFhF,CAAC;AAEH,iDAAiD;AACjD,MAAM,WAAW,oBAAoB;IACpC,yDAAyD;IACzD,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,8FAA8F;IAC9F,gBAAgB,CAAC,EAAE;QAAC,SAAS,EAAE,OAAO,CAAA;KAAC,CAAC;CACxC;AAED,4CAA4C;AAC5C,eAAO,MAAM,oBAAoB,IAAI,CAAC;AAEtC,8CAA8C;AAC9C,eAAO,MAAM,kBAAkB,KAAK,CAAC;AAErC;;;;;;;;;GASG;AACH,eAAO,MAAM,2BAA2B,MAAM,CAAC;AAE/C;;;;;;GAMG;AACH,eAAO,MAAM,4BAA4B,KAAK,CAAC;AAQ/C;;;;;GAKG;AACH,MAAM,WAAW,uBAAuB;IACvC,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,kFAAkF;IAClF,eAAe,EAAE,WAAW,GAAG,IAAI,CAAC;CACpC;AAED;;GAEG;AACH,MAAM,WAAW,mBAAoB,SAAQ,uBAAuB;IACnE,4FAA4F;IAC5F,0BAA0B,EAAE,WAAW,GAAG,IAAI,CAAC;IAC/C,2FAA2F;IAC3F,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B;;;;OAIG;IACH,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B;;;OAGG;IACH,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B;;;;;;;OAOG;IACH,iBAAiB,CAAC,EAAE,gBAAgB,GAAG,IAAI,CAAC;CAC5C;AAID,oFAAoF;AACpF,eAAO,MAAM,UAAU;;;kBAGrB,CAAC;AACH,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,UAAU,CAAC,CAAC;AAEpD,wFAAwF;AACxF,eAAO,MAAM,WAAW;;kBAEtB,CAAC;AACH,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,WAAW,CAAC,CAAC;AAEtD,2EAA2E;AAC3E,eAAO,MAAM,WAAW,WAAW,CAAC;AACpC,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,WAAW,CAAC,CAAC;AAEtD,wFAAwF;AACxF,eAAO,MAAM,YAAY;;;kBAGvB,CAAC;AACH,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AAExD,sHAAsH;AACtH,eAAO,MAAM,mBAAmB;;;kBAG9B,CAAC;AACH,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEtE,uGAAuG;AACvG,eAAO,MAAM,oBAAoB;;;;kBAI/B,CAAC;AACH,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAExE;;;;;;;;;;GAUG;AACH,eAAO,MAAM,0BAA0B,GACtC,MAAM,gBAAgB,EACtB,SAAS,mBAAmB,KAC1B,KAAK,CAAC,SAAS,CA+SjB,CAAC"}

package/dist/auth/account_routes.js

@@ -29,7 +29,7 @@ import { hash_session_token, query_session_revoke_all_for_account, query_session
 import { query_account_by_username_or_email, query_update_account_password, } from './account_queries.js';
 import { query_revoke_all_api_tokens_for_account } from './api_token_queries.js';
 import { build_account_context, build_request_context, get_request_context, require_request_context, resolve_acting_actor, } from './request_context.js';
-import { ACCOUNT_ID_KEY } from '../hono_context.js';
+import { ACCOUNT_ID_KEY, CREDENTIAL_TYPE_KEY } from '../hono_context.js';
 import { get_route_input } from '../http/route_spec.js';
 import { get_client_ip } from '../http/proxy.js';
 import { rate_limit_exceeded_response } from '../rate_limiter.js';
@@ -217,7 +217,7 @@ export const PasswordChangeOutput = z.strictObject({
  */
 export const create_account_route_specs = (deps, options) => {
     const { keyring, password } = deps;
-    const { session_options, ip_rate_limiter, login_account_rate_limiter, max_sessions = DEFAULT_MAX_SESSIONS, login_fail_floor_ms = DEFAULT_LOGIN_FAIL_FLOOR_MS, login_fail_jitter_ms = DEFAULT_LOGIN_FAIL_JITTER_MS, } = options;
+    const { session_options, ip_rate_limiter, login_account_rate_limiter, max_sessions = DEFAULT_MAX_SESSIONS, login_fail_floor_ms = DEFAULT_LOGIN_FAIL_FLOOR_MS, login_fail_jitter_ms = DEFAULT_LOGIN_FAIL_JITTER_MS, connection_closer = null, } = options;
     return [
         {
             method: 'GET',
@@ -254,8 +254,12 @@ export const create_account_route_specs = (deps, options) => {
                         return rate_limit_exceeded_response(c, check.retry_after);
                     }
                 }
-                const { username: raw_username, password: pw } = get_route_input(c);
-                const username = raw_username.trim().toLowerCase();
+                // `UsernameProvided` canonicalizes via `.trim().toLowerCase()` at
+                // parse time — the validated value lands canonical in
+                // `c.var.validated_input`, so the per-account rate-limit key,
+                // DB lookup, and audit metadata see one form. See
+                // `primitive_schemas.ts` for the schema-layer canonicalization.
+                const { username, password: pw } = get_route_input(c);
                 // DB lookup first so we can key the per-account rate limit by a canonical value
                 // (account.id) rather than the submitted identifier. Otherwise an attacker could
                 // alternate between username and email to double the per-account bucket.
@@ -339,6 +343,21 @@ export const create_account_route_specs = (deps, options) => {
                 if (session_token) {
                     const token_hash = hash_session_token(session_token);
                     await query_session_revoke_by_hash_unscoped(route, token_hash);
+                    // Handler-side belt+suspenders: close the live WS bound to
+                    // this session BEFORE the audit emit so revocation lands
+                    // even if the audit INSERT fails. Same transaction-commit
+                    // trade as `password` / RPC `session_revoke` below — a
+                    // throw between this close and the response rolls back the
+                    // DB revoke while leaving the socket severed; benign
+                    // (client reconnects, session still valid) but don't
+                    // introduce a throw here without acknowledging the trade.
+                    // The audit listener (`create_ws_logout_closer`) runs an
+                    // account-wide close on the logout event afterward —
+                    // broader than this targeted close, but both layers are
+                    // idempotent. Mirrors `zzz_server::account::logout_inner`.
+                    if (connection_closer) {
+                        connection_closer.close_sockets_for_session(token_hash);
+                    }
                 }
                 clear_session_cookie(c, session_options);
                 // Account-grain operation — no `actor_id` (which actor was
@@ -355,7 +374,8 @@ export const create_account_route_specs = (deps, options) => {
         {
             method: 'POST',
             path: '/password',
-            auth: { account: 'required', actor: 'none' },
+            // `credential_types: ['session']` — see `docs/security.md` §Credential-channel gating.
+            auth: { account: 'required', actor: 'none', credential_types: ['session'] },
             description: 'Change password (revokes all sessions and API tokens)',
             input: PasswordChangeInput,
             output: PasswordChangeOutput,
@@ -376,6 +396,8 @@ export const create_account_route_specs = (deps, options) => {
                 }
                 const ctx = require_request_context(c);
                 const { current_password, new_password } = get_route_input(c);
+                // Defense in depth — see `docs/security.md` §Credential-channel gating.
+                const credential_type = c.get(CREDENTIAL_TYPE_KEY) ?? undefined;
                 // per-account rate limit check (after context resolution, before argon2 work)
                 if (login_account_rate_limiter) {
                     const check = login_account_rate_limiter.check(ctx.account.id);
@@ -394,14 +416,14 @@ export const create_account_route_specs = (deps, options) => {
                         outcome: 'failure',
                         account_id: ctx.account.id,
                         ip: get_client_ip(c),
+                        metadata: { credential_type },
                     });
                     return c.json({ error: ERROR_INVALID_CREDENTIALS }, 401);
                 }
-                // successful verification — reset rate limiters
-                if (ip_rate_limiter && ip)
-                    ip_rate_limiter.reset(ip);
-                if (login_account_rate_limiter)
-                    login_account_rate_limiter.reset(ctx.account.id);
+                // Verify succeeded — do the throw-y operations FIRST so a fault
+                // (Argon2 OOM, native binding error, DB outage on the UPDATE)
+                // can't wipe the rate-limit history of a caller observing 500s.
+                // Resets happen below, after both calls have settled.
                 const new_hash = await password.hash_password(new_password);
                 // Conditional UPDATE keyed on the verified hash: closes the
                 // verify-write race with a concurrent password change that
@@ -409,6 +431,19 @@ export const create_account_route_specs = (deps, options) => {
                 // operation — `updated_by` stays null (the per-request actor is
                 // incidental; password is account-level state).
                 const updated = await query_update_account_password(route, ctx.account.id, new_hash, null, ctx.account.password_hash);
+                // Verify-success contract — the caller proved knowledge, so wipe
+                // their failure history. The race-loser branch below re-records
+                // one on top of the wiped slate so net cost stays 1 (mirrors the
+                // verify-fail branch above's `record`-from-prior+1 outcome when
+                // prior was 0; for prior > 0 the race-loser pays exactly 1,
+                // matching the OLD pre-S1 behavior). Deferring from "after
+                // verify" to "after UPDATE settled" is what closes the S1
+                // bypass — a throw between reset and the UPDATE could have
+                // wiped an attacker's budget.
+                if (ip_rate_limiter && ip)
+                    ip_rate_limiter.reset(ip);
+                if (login_account_rate_limiter)
+                    login_account_rate_limiter.reset(ctx.account.id);
                 if (!updated) {
                     // A concurrent password change committed first — our
                     // `current_password` was correct at read-time but the row's
@@ -426,13 +461,29 @@ export const create_account_route_specs = (deps, options) => {
                         outcome: 'failure',
                         account_id: ctx.account.id,
                         ip: get_client_ip(c),
-                        metadata: { reason: 'concurrent_change' },
+                        metadata: { reason: 'concurrent_change', credential_type },
                     });
                     return c.json({ error: ERROR_INVALID_CREDENTIALS }, 401);
                 }
                 // revoke all sessions and API tokens (force re-auth everywhere)
                 const sessions_revoked = await query_session_revoke_all_for_account(route, ctx.account.id);
                 const tokens_revoked = await query_revoke_all_api_tokens_for_account(route, ctx.account.id);
+                // Handler-side belt+suspenders — close every live WS socket on
+                // this account BEFORE the audit emit so the revoke-all cascade
+                // lands even if the audit INSERT fails. The real ordering
+                // invariant is "before the transaction commits": this route
+                // runs with the default `transaction: true`, so a throw between
+                // this close and the response would roll back the password
+                // update + session/token revokes while leaving sockets severed.
+                // Benign — affected clients reconnect with their still-valid
+                // session — but don't introduce a throw here without
+                // acknowledging the trade. Listener-based close
+                // (`transports_ws_auth_guard` on the `password_change` event)
+                // runs the same close afterward; idempotent on the second pass.
+                // Mirrors `zzz_server::account::password_inner`.
+                if (connection_closer) {
+                    connection_closer.close_sockets_for_account(ctx.account.id);
+                }
                 clear_session_cookie(c, session_options);
                 // Account-grain operation — no `actor_id`. The password is
                 // account-level state; which per-request actor was resolved
@@ -442,7 +493,7 @@ export const create_account_route_specs = (deps, options) => {
                     event_type: 'password_change',
                     account_id: ctx.account.id,
                     ip: get_client_ip(c),
-                    metadata: { sessions_revoked, tokens_revoked },
+                    metadata: { sessions_revoked, tokens_revoked, credential_type },
                 });
                 return c.json({ ok: true, sessions_revoked, tokens_revoked });
             },

package/dist/auth/account_schema.d.ts

@@ -5,9 +5,9 @@
  * `Account`, `Actor`, `RoleGrant`, `AuthSession`, and `ApiToken`.
  *
  * Identifier primitives (`Username`, `UsernameProvided`, `Email`) live
- * in `../primitive_schemas.ts` — they're general validator shapes that
+ * in `primitive_schemas.ts` — they're general validator shapes that
  * don't depend on the auth domain. The auth-shape request-contract
- * primitive `ActingActor` lives in `../http/auth_shape.ts` next to
+ * primitive `ActingActor` lives in `http/auth_shape.ts` next to
  * `RouteAuth` (the two pair: `auth.actor !== 'none'` ⟺ input declares
  * `acting?: ActingActor`).
  *
@@ -106,7 +106,7 @@ export interface ApiToken {
 /** Zod schema for `SessionAccount` — account without sensitive fields. */
 export declare const SessionAccountJson: z.ZodObject<{
     id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
-    username: z.ZodString;
+    username: z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>;
     email: z.ZodNullable<z.ZodEmail>;
     email_verified: z.ZodBoolean;
     created_at: z.ZodString;
@@ -152,7 +152,7 @@ export type ActorSummaryJson = z.infer<typeof ActorSummaryJson>;
 /** Zod schema for admin-facing account data — extends `SessionAccountJson` with audit fields. */
 export declare const AdminAccountJson: z.ZodObject<{
     id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
-    username: z.ZodString;
+    username: z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>;
     email: z.ZodNullable<z.ZodEmail>;
     email_verified: z.ZodBoolean;
     created_at: z.ZodString;
@@ -188,7 +188,7 @@ export type PendingOfferSummaryJson = z.infer<typeof PendingOfferSummaryJson>;
 export declare const AdminAccountEntryJson: z.ZodObject<{
     account: z.ZodObject<{
         id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
-        username: z.ZodString;
+        username: z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>;
         email: z.ZodNullable<z.ZodEmail>;
         email_verified: z.ZodBoolean;
         created_at: z.ZodString;

package/dist/auth/account_schema.js

@@ -5,9 +5,9 @@
  * `Account`, `Actor`, `RoleGrant`, `AuthSession`, and `ApiToken`.
  *
  * Identifier primitives (`Username`, `UsernameProvided`, `Email`) live
- * in `../primitive_schemas.ts` — they're general validator shapes that
+ * in `primitive_schemas.ts` — they're general validator shapes that
  * don't depend on the auth domain. The auth-shape request-contract
- * primitive `ActingActor` lives in `../http/auth_shape.ts` next to
+ * primitive `ActingActor` lives in `http/auth_shape.ts` next to
  * `RouteAuth` (the two pair: `auth.actor !== 'none'` ⟺ input declares
  * `acting?: ActingActor`).
  *

package/dist/auth/actor_lookup_actions.d.ts

@@ -3,7 +3,7 @@
  *
  * Pure read — no audit, no side effects. Auth (`account: 'required'`) +
  * rate-limit (`account`-grain) enforced at the spec layer; see
- * `./actor_lookup_action_specs.ts` for the info-leak audit.
+ * `auth/actor_lookup_action_specs.ts` for the info-leak audit.
  *
  * `display_name` is omitted (not `null`) when `actor.name` is blank,
  * matching the wire shape `display_name?` so the typed client sees an

package/dist/auth/actor_lookup_actions.js

@@ -3,7 +3,7 @@
  *
  * Pure read — no audit, no side effects. Auth (`account: 'required'`) +
  * rate-limit (`account`-grain) enforced at the spec layer; see
- * `./actor_lookup_action_specs.ts` for the info-leak audit.
+ * `auth/actor_lookup_action_specs.ts` for the info-leak audit.
  *
  * `display_name` is omitted (not `null`) when `actor.name` is blank,
  * matching the wire shape `display_name?` so the typed client sees an

package/dist/auth/actor_lookup_queries.d.ts

@@ -10,7 +10,7 @@
  * The inner join still resolves one row per actor — `actor.account_id`
  * is `NOT NULL` so every actor has exactly one account.
  *
- * Info-leak posture (see `actor_lookup_action_specs.ts` § audit):
+ * Info-leak posture (see `actor_lookup_action_specs.ts` §audit):
  *
  * - Row shape **omits** `account_id` — the join is control-plane,
  *   not wire-visible.

package/dist/auth/actor_lookup_queries.js

@@ -10,7 +10,7 @@
  * The inner join still resolves one row per actor — `actor.account_id`
  * is `NOT NULL` so every actor has exactly one account.
  *
- * Info-leak posture (see `actor_lookup_action_specs.ts` § audit):
+ * Info-leak posture (see `actor_lookup_action_specs.ts` §audit):
  *
  * - Row shape **omits** `account_id` — the join is control-plane,
  *   not wire-visible.

package/dist/auth/actor_search_action_specs.d.ts

@@ -45,7 +45,7 @@
  * ## Wire shape — info-leak audit
  *
  * Output `{actors: [{id, username, display_name?}]}` is identical to
- * `actor_lookup`'s — see `./actor_lookup_action_specs.ts` for the full
+ * `actor_lookup`'s — see `auth/actor_lookup_action_specs.ts` for the full
  * field-by-field audit. Same omissions (`account_id`, email,
  * timestamps, role / role_grants / session state), same `display_name`
  * omitted-not-null contract, same response-order-unspecified rule.

package/dist/auth/actor_search_action_specs.js

@@ -45,7 +45,7 @@
  * ## Wire shape — info-leak audit
  *
  * Output `{actors: [{id, username, display_name?}]}` is identical to
- * `actor_lookup`'s — see `./actor_lookup_action_specs.ts` for the full
+ * `actor_lookup`'s — see `auth/actor_lookup_action_specs.ts` for the full
  * field-by-field audit. Same omissions (`account_id`, email,
  * timestamps, role / role_grants / session state), same `display_name`
  * omitted-not-null contract, same response-order-unspecified rule.

package/dist/auth/actor_search_actions.d.ts

@@ -3,7 +3,7 @@
  *
  * Pure read — no audit, no side effects. Auth (`account: 'required'`,
  * `actor: 'none'`) + rate-limit (`account`-grain) enforced at the spec
- * layer; see `./actor_search_action_specs.ts` for the info-leak audit
+ * layer; see `auth/actor_search_action_specs.ts` for the info-leak audit
  * and threat model.
  *
  * The handler adds two checks the spec layer can't express:

package/dist/auth/actor_search_actions.js

@@ -3,7 +3,7 @@
  *
  * Pure read — no audit, no side effects. Auth (`account: 'required'`,
  * `actor: 'none'`) + rate-limit (`account`-grain) enforced at the spec
- * layer; see `./actor_search_action_specs.ts` for the info-leak audit
+ * layer; see `auth/actor_search_action_specs.ts` for the info-leak audit
  * and threat model.
  *
  * The handler adds two checks the spec layer can't express:

package/dist/auth/actor_search_queries.d.ts

@@ -29,7 +29,7 @@
  * gates), no role_grant join — every actor with a matching prefix is
  * returned.
  *
- * ## Info-leak posture (see `actor_search_action_specs.ts` § audit)
+ * ## Info-leak posture (see `actor_search_action_specs.ts` §audit)
  *
  * - Row shape **omits** `account_id` — the join is control-plane, not
  *   wire-visible. Identical to `actor_lookup_queries.ts`.

package/dist/auth/actor_search_queries.js

@@ -29,7 +29,7 @@
  * gates), no role_grant join — every actor with a matching prefix is
  * returned.
  *
- * ## Info-leak posture (see `actor_search_action_specs.ts` § audit)
+ * ## Info-leak posture (see `actor_search_action_specs.ts` §audit)
  *
  * - Row shape **omits** `account_id` — the join is control-plane, not
  *   wire-visible. Identical to `actor_lookup_queries.ts`.

package/dist/auth/admin_action_specs.d.ts

@@ -35,7 +35,7 @@ export declare const AdminAccountListOutput: z.ZodObject<{
     accounts: z.ZodArray<z.ZodObject<{
         account: z.ZodObject<{
             id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
-            username: z.ZodString;
+            username: z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>;
             email: z.ZodNullable<z.ZodEmail>;
             email_verified: z.ZodBoolean;
             created_at: z.ZodString;
@@ -183,7 +183,7 @@ export type AuditLogRoleGrantHistoryOutput = z.infer<typeof AuditLogRoleGrantHis
 /** Input for `invite_create`. At least one of `email` / `username` must be provided. */
 export declare const InviteCreateInput: z.ZodObject<{
     email: z.ZodOptional<z.ZodNullable<z.ZodEmail>>;
-    username: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+    username: z.ZodOptional<z.ZodNullable<z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>>>;
     acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
 }, z.core.$strict>;
 export type InviteCreateInput = z.infer<typeof InviteCreateInput>;
@@ -193,7 +193,7 @@ export declare const InviteCreateOutput: z.ZodObject<{
     invite: z.ZodObject<{
         id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
         email: z.ZodNullable<z.ZodEmail>;
-        username: z.ZodNullable<z.ZodString>;
+        username: z.ZodNullable<z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>>;
         claimed_by: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
         claimed_at: z.ZodNullable<z.ZodString>;
         created_at: z.ZodString;
@@ -211,7 +211,7 @@ export declare const InviteListOutput: z.ZodObject<{
     invites: z.ZodArray<z.ZodObject<{
         id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
         email: z.ZodNullable<z.ZodEmail>;
-        username: z.ZodNullable<z.ZodString>;
+        username: z.ZodNullable<z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>>;
         claimed_by: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
         claimed_at: z.ZodNullable<z.ZodString>;
         created_at: z.ZodString;
@@ -289,7 +289,7 @@ export declare const admin_account_list_action_spec: {
         accounts: z.ZodArray<z.ZodObject<{
             account: z.ZodObject<{
                 id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
-                username: z.ZodString;
+                username: z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>;
                 email: z.ZodNullable<z.ZodEmail>;
                 email_verified: z.ZodBoolean;
                 created_at: z.ZodString;
@@ -512,7 +512,7 @@ export declare const invite_create_action_spec: {
     side_effects: true;
     input: z.ZodObject<{
         email: z.ZodOptional<z.ZodNullable<z.ZodEmail>>;
-        username: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+        username: z.ZodOptional<z.ZodNullable<z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>>>;
         acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
     }, z.core.$strict>;
     output: z.ZodObject<{
@@ -520,7 +520,7 @@ export declare const invite_create_action_spec: {
         invite: z.ZodObject<{
             id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
             email: z.ZodNullable<z.ZodEmail>;
-            username: z.ZodNullable<z.ZodString>;
+            username: z.ZodNullable<z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>>;
             claimed_by: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
             claimed_at: z.ZodNullable<z.ZodString>;
             created_at: z.ZodString;
@@ -554,7 +554,7 @@ export declare const invite_list_action_spec: {
         invites: z.ZodArray<z.ZodObject<{
             id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
             email: z.ZodNullable<z.ZodEmail>;
-            username: z.ZodNullable<z.ZodString>;
+            username: z.ZodNullable<z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>>;
             claimed_by: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
             claimed_at: z.ZodNullable<z.ZodString>;
             created_at: z.ZodString;